Easily onboard new users that have JumpCloud managed devices by integrating your existing Identity Provider (IdP) with JumpCloud. This allows your users to securely access their devices by logging in with their IdP credentials.
Prerequisites:
- You need to have JumpCloud set up as an OIDC app in your IdP with the appropriate settings enabled to continue setting up Federated Authentication for your org, see our IdP configuration documentation to learn more:
- You need to have Admin with Billing permissions to configure an IdP.
- You need to have an existing IdP managing your users to benefit from federated authentication.
- All JumpCloud users must have unique company email addresses, and the email of the JumpCloud user and external IdP email used for Federation have to match.
Considerations:
- Federated IdP authentication doesn’t capture the user’s IdP password. If Device Password Sync is set to NO, then users will be prompted to create a local passcode (password) on Mac or local PIN or passcode on Windows. If Device Password Sync is set to Yes, then JumpCloud will sync the JumpCloud password to the device and set it for the user account on the device.
- Federation does not currently support authenticating with JumpCloud Go.
- Federation does not currently support JumpCloud Multi-Factor Authentication (MFA) for users in addition to external IdP authentication. However, MFA may be applied at the IdP.
- Features like device provisioning and local self service password reset is currently not supported on Linux.
Externally Managed Passwords
Externally managed passwords prevent password changes within JumpCloud, both by users and admins. When users are set to Password Externally Managed, they will no longer receive password expiration notifications and password expirations will no longer apply to them.
Use this setting when a user’s password is being managed by an upstream integration or when they’re authenticating with an external identity provider (IdP).
Note: Once this setting is enabled, users will not be able to change their own password from their JumpCloud device tray application, User Portal, or any other password reset flow. Additionally, admins won’t be able to set user passwords from the Admin Portal.
Workflow

- Prepare your IdP to configure with JumpCloud.
- You will need to add JumpCloud as an application to your IdP with the appropriate settings enabled to continue setting up Federated Authentication for your org, see our IdP configuration documentation:
 
- Configure your IdP in JumpCloud.
- Verify that you want to enable Federated Device Authentication for your users’ login.
- This will require all users to authenticate with their IdP.
 
 
- Verify that you want to enable Federated Device Authentication for your users’ login.
- Automatically bind users to devices by configuring Self Service Account Provisioning, or Automated Device Enrollment, based on whichever OS you’re provisioning, see Provision New Users on Device Login to learn more. 
- Users logging into their device for the first time will use their IdP credentials to sign in. This also creates a local user on the device.
- By default, any new users that are associated with the device will automatically have their JumpCloud password synced to their device password. You can disable this so that any new user to device associations will not have their JumpCloud password synced to their device. Instead, the user will enter a local password to log into their device. See Device Password Sync to learn more.
- The JumpCloud account will be automatically bound to the JumpCloud device upon successful user login to the external IdP.
 
- Optionally, restrict your user's password in JumpCloud.
- Users won’t be able to set or update a password in JumpCloud. Users won’t receive any password related communication or emails.
- Admins won’t be able to set or update a user’s password in JumpCloud either.
- Passwords can continue being synced from any SCIM or REST integration for this user.
 
Device Management Deployment Scenarios
Scenario 1: Device Management with an External IdP
Identity management is kept in your existing IdP. Identities are synced into JumpCloud for the purpose of IdP login. New users will set up and maintain a local passcode on their device. Existing users will maintain their existing passwords after they become managed by JumpCloud. If the user forgets this passcode, it may be reset with an external IdP login. The passcode is stored locally on the device, reducing the risk of compromise and allowing for offline authentication. The user can log in to any web-based resources (like JumpCloud’s User Portal, SSO apps, local account provisioning flows, etc.) with their IdP login.
- User identities live, and are managed in an existing, external IdP like Azure AD, Google Workspace, or Okta.
- Sync the user identities into JumpCloud using a Cloud Directory, or SCIM integration.
- Once the users are synced, and are logging into their device for the first time, they’ll be redirected to authenticate to the external IdP via JumpCloud federation.
- The local user account will then be created on the device, and become managed by JumpCloud.
- The user will create a local passcode to access their device. This passcode can be reset from the login window by authenticating through the external IdP.
Device password: Local credentials
Zero Trust Controls: IdP
MFA: IdP
Scenario 2: Device Management with IdP Password Sync
Identity management is kept within your existing IdP. Identities are synced into JumpCloud for the purpose of IdP login. Passwords are also synced from your IdP into JumpCloud outside of the OIDC IdP login flow (which doesn’t capture the password). This password is synced to the user’s device, resulting in the IdP password, and the device password being in sync. Optionally, an IdP object can be configured allowing users to log in with their IdP credentials for web-based logins.
- User identities live, and are managed in an existing, external IdP, like Okta.
- Sync the user identities into JumpCloud using a Cloud Directory, or SCIM integration.
- Once the users are synced, and are logging into their device for the first time, they’ll be redirected to authenticate to the external IdP via JumpCloud federation.
- The local user account will then be created on the device, and become managed by JumpCloud.
- The user’s password is managed by the external IdP, and then synced to the JumpCloud account.
This only applies to Okta users. GWS and M365 users' passwords are not synced.
- User password changes and resets have to be done in the IdP.
Device password: IdP
Zero Trust Controls: IdP
MFA: IdP
Scenario 3: Device Management with JumpCloud Password Sync and External IdP Login
In this scenario, identity management is kept within your existing IdP. Identities are synced to JumpCloud for the purpose of IdP login. Users are also associated to a Cloud Directory integration. This enables JumpCloud to own the password, but your IdP to own the identity. Users can change their password from their device, allowing the password to be synced to JumpCloud, and to their IdP. The user will log in with their IdP for web-based logins with the password that’s managed by JumpCloud. Any Zero Trust, MFA, etc., controls will be enforced at the IdP login.
- User identities live, and are managed in an existing, external IdP like Azure AD, or Google Workspace.
- Sync the user identities into JumpCloud using a Cloud Directory, or SCIM integration.
- Once the users are synced, and are logging into their device for the first time, they’ll be redirected to authenticate to the external IdP via JumpCloud federation.
- The local user account will then be created on the device, and become managed by JumpCloud.
- The user’s password is managed by JumpCloud, or on the device itself, and then synced to the IdP.
Device password: JumpCloud
Zero Trust Controls: IdP
MFA: IdP
FAQ
No. During the federated login flow, JumpCloud does not capture the IdP password.
- Admins need to decide whether they want their users device passwords synced or not.
- If password sync is set to No, then during the local account join, the user will be prompted to set a local passcode (Mac) or PIN or passcode (Windows). This is a local passcode to the device, which is not synced to or from JumpCloud.
Any resource that supports browser-based logins: User Portal, SSO apps, Self Service Account Provisioning, Mac ADE, and local password resets.
Any resource that does not support browser-based logins: LDAP and RADIUS
- Both Windows and Mac users can reset their PIN or local password from the device login window. See Windows/Mac Self-Service PIN/Password Reset for Local Password Users to learn more.
Account lockout applies to all users in an organization. If all users will authenticate with an IdP, and therefore use a local device credential, the OS lockout mechanisms may be used. In this case, JumpCloud account lockout doesn’t need to be configured. However, even if JumpCloud account lockout is configured, it can be overridden for individual users on devices by navigating to USER MANAGEMENT > Users, clicking a specific user, then under the User Security Settings and Permissions dropdown, select Bypass account lockout policy for user’s managed device.
Mac (and Windows): Admins can unlock the account in the Admin Portal, see Unlock User Accounts to learn more.
Yes. You can create a routing policy to have specific groups of users required to authenticate through their IdP. See Routing Policies for Identity Providers to learn more.
Yes, however this will prevent the user self service password reset flow from functioning by obscuring the Self Service Account Provisioning option.
By default, a PIN is required for Windows users. If users only set a PIN, they will not know their local account device password unless they explicitly set it after login with PIN or biometric. This will result in denied logins, and could lead to lockouts by the OS or on the JumpCloud account, if configured.
You can disable the PIN requirement for Windows devices using the Windows Self-Service Account Provisioning Policy. If PIN is disabled, users will set a local password which they can reset using Windows Self-Service PIN or Password Reset for Local Password Users. 
- Windows: By default with PIN required, no. A randomized complex password value is set upon account creation. The PIN is set by the user and leverages the Windows default PIN length (6 digits).
- If the PIN requirement is disabled via SSAP Policy, then the password complexity settings are pushed to the device and enforced. Aging settings are not evaluated.
 
- Mac: Yes. The password length and complexity settings are pushed to the device and enforced. Aging settings are not evaluated.
Yes, accounts can be manually bound to devices in the Admin Portal. Use the Password Sync dropdown to determine if the user's JumpCloud password will be synced to the device or not. For Federated accounts where the user logs into the device with a local password or PIN, set Password Sync to No.
Learn More
This could be caused by an issue with the configuration for the Identity Provider on the JumpCloud side or on the OIDC Client App on the Identity Provider side. Check the details of your configuration, and make sure your client ID and secret are correct. It may be necessary to regenerate a new secret in your IdP and try the configuration again if the problem keeps happening.

 
                 
                     
             Subscribe to Help Center RSS Feed
Subscribe to Help Center RSS Feed

 In this Article
In this Article Learn More
Learn More